Add checks for potentially dangerous trailing characters in files and excludes fields

Characters such as |, / can have unintended and potentially dangerous effects when used in trailing position of the files and exclude fields of pre-commit hooks. This change adds tests to display a WARNING when user adds these characters in some specific ways in files and exclude fields.
2026-04-15 01:51:46 +04:00 · 2025-07-30 20:05:49 +02:00 · 2025-07-30 20:05:49 +02:00 · 5a0366bcb0
commit 5a0366bcb0
parent c6817210b1
2 changed files with 102 additions and 0 deletions
--- a/pre_commit/clientlib.py
+++ b/pre_commit/clientlib.py
@ -282,6 +282,36 @@ class OptionalSensibleRegexAtHook(cfgv.OptionalNoDefault):
                )


+
+class PotentiallyDangerousTrailingCharactersAtHook(cfgv.OptionalNoDefault):
+    def _pre_process(self, value: str) -> str:
+        """Normalize the field value by removing tabs, newlines, spaces, and trailing )/."""
+        spaces_regex_pattern = r"\s+"
+        trailing_bracket_and_slash_pattern = r"\)/$"
+        combined_pattern = f"{spaces_regex_pattern}|{trailing_bracket_and_slash_pattern}"
+        return re.sub(combined_pattern, "", value.replace("\t", "").replace("\n", "").strip())
+
+    def check(self, dct: dict[str, Any]) -> None:
+        super().check(dct)
+        pipe_trailing_pattern = r"\|(\)|\/)?$"
+        slash_trailing_pattern = r"\/(\)|\/)?$"
+
+        pre_processed_field = self._pre_process(dct.get(self.key, ""))
+
+        if re.search(pipe_trailing_pattern, pre_processed_field):
+            logger.error(
+                f"Potentially dangerous trailing pipe pattern detected in {self.key!r} field of the hook: {dct.get('id')!r}"
+                "This can uninteded behaviour such as the files option being rendered empty"
+                "It is recommended to remove the trailing character prompted"
+            )
+
+        if re.search(slash_trailing_pattern, pre_processed_field):
+            logger.error(
+                f"Potentially dangerous trailing slash pattern detected in {self.key!r} field of the hook: {dct.get('id')!r}"
+                f"This can uninteded behaviour such as the files option being rendered empty"
+                f"It is recommended to remove the trailing character prompted"
+            )
+
 class OptionalSensibleRegexAtTop(cfgv.OptionalNoDefault):
    def check(self, dct: dict[str, Any]) -> None:
        super().check(dct)
@ -360,6 +390,8 @@ class NotAllowed(cfgv.OptionalNoDefault):
 _COMMON_HOOK_WARNINGS = (
    OptionalSensibleRegexAtHook('files', cfgv.check_string),
    OptionalSensibleRegexAtHook('exclude', cfgv.check_string),
+    PotentiallyDangerousTrailingCharactersAtHook('files', cfgv.check_string),
+    PotentiallyDangerousTrailingCharactersAtHook('exclude', cfgv.check_string),
    DeprecatedStagesWarning('stages'),
 )